Identity and access management (IAM) is a framework of business processes, policies and technologies that facilitates the management of electronic or digital identities.

(1) Scope

This procedure applies to all information systems and information resources owned or operated by or on behalf of the university. All university employees are responsible for adhering to this procedure and the associated policy, CWUP 2-70-080 Identity and Access Management Framework Policy.

(2) Procedure

IAM is a framework that consists of policies, procedures, and technologies to ensure users have the appropriate and necessary access to resources, services, and locations at the appropriate time. IAM is closely tied to governance, risk, and compliance.

(3) Framework

The IAM framework, from a simplified perspective, uses the model described below:

(A) CWU shall require a process for establishing levels of confidence in the digital identities used in systems, and a process to revoke them.

(B) Each entity should never correspond to more than oned digital identity, unless required for clearly defined and documented business or operational reasons (i.e. not convenience). Example of additional digital identities are given below.

(4) Examples

For example, the entity Senior VP, has one digital identity that allows logging into MyCWU. Another digital identity of the Senior VP that is connected to the connection card, allows access into certain buildings on campus (i.e. one entity with two identities).

Another example is the entity Technical Analyst, who has one digital identity that allows logging into MyCWU and another digital identity that allows privileged access to the network environments (i.e. A-account). The Technical Analyst also has a connection card with access to campus buildings (i.e. one entity with three digital identities).

A third example is a student employee who works for the Registrar and has access to student records. This student has a standard user account along with a department position account that grants her/him/them privileged access to the business systems. The student also has a connection card that allows access to her/his/their dormitory (i.e. one entity with three identities).

The intent is to keep the number of identities assigned to entities to an absolute minimum.

5) Provisioning

The provisioning process monitors access rights and privileges to ensure the security of university resources and user privacy. As a secondary responsibility, it ensures compliance and minimizes the vulnerability of systems to penetration and abuse. This process for assigning or revoking access rights should include:

(A) Requires authorization from the asset/data owner; separate approval for access rights from management may also be appropriate;

(B) Verifying that the level of access granted is appropriate and is consistent with other requirements such as segregation of duties;

(C) Ensuring that access rights are not activated before authorization procedures are completed;

(D) Maintaining a central record of access rights granted to information systems and services;

(E) Adapting access rights of users who have changed roles or jobs and immediately removing or blocking access rights of users who have left the organization;

(F) Periodically reviewing access rights with owners of the information systems or services.

(6) Control

Asset and data owners, as defined in the CWUP 2-70-010 Information Security and Privacy Roles and Responsibilities, should determine appropriate access control rules, access rights and restrictions for specific user roles towards their assets, with the amount of detail and the strictness of the controls consistent with the associated information security risks, or data classification as determined by the CWUP 2-70-020 Data Classification and Usage Policy.

(A) A formal, documented, and auditable process for authorization is required.

(B) Segregation of access control roles should be used (e.g. access request, access authorization, and access administration).

(C) Access is provided on the principle of least-privilege, need-to-know. You are only granted access to the information you need to perform your assigned tasks.

(D) Privileged access may require a separate digital identity for an entity, based on the associated information security risks and restrictions determined by the asset/data owner.

(E) Where appropriate, role-based access will be used to link access with business roles.

(F) Multi-factor authentication is required for all employees.

(7) Review of Access

(A) Asset/data owners or their designee should review users’ access rights at regular intervals.

(B) User access rights should be reviewed and re-allocated when moving from one role to another within the same organization;

(C) Authorizations for privileged access rights should be reviewed at more frequent intervals;

(D) Privilege allocations should be checked at regular intervals to ensure that unauthorized privileges have not been obtained;

(E) Changes to privileged accounts should be logged for periodic review.

(8) Responsibilities

For more information on roles and responsibilities, and definition of terms, refer to CWUP 2-70-010 Information Security and Privacy Roles and Responsibilities.

(9) Procedure Maintenance

The Chief Information Security Officer shall review and recommend any change to this procedure statement at least annually or more frequently as needed to respond to changes in the regulatory environment and internal business practices.

(10) Additional Information

For additional resources, further information on this policy statement, or for a definition of any term used in this policy document, please see the Security Services website at https://www.cwu.edu/security-services/.

[Responsibility: Operations Division; Authority: Cabinet/UPAC; Reviewed/Endorsed by: Cabinet/UPAC; Review/Effective Date: 04/14/2021; Approved by: James L. Gaudino, President]